How the Data (Use and Access) Bill will impact the public sector

At a time where data plays an increasingly critical role in operational efficiency and decision-making, the introduction of the Data (Use and Access) Bill (DUA Bill) represents a potentially significant legislative development for the public sector.

The DUA Bill was introduced on the 23 October 2024 for its first reading in the House of Lords by the Department for Science, Innovation and Technology. The arrival of the bill was anticipated, having been announced, albeit by another name, in the King’s Speech in July 2024 as the Digital Information and Smart Data Bill. Its predecessor, the Data Protection and Digital Information Bill (DPDI Bill) had failed to make it through the final stages of Parliament ahead of the general election.

The government has made bold claims, announcing three core objectives for the bill: growing the economy, improving UK public services and making people’s lives easier.

Proposals also seek to revamp the Information Commissioners Office (ICO), the UK’s data protection regulator, by creating a new structure and stronger powers of enforcement to ensure the protection of people’s personal data.

Specifically within the public sector, these objectives translate into the potential for streamlined data processes, reduced administrative burdens and better user experience.

What will the DUA Bill do?

It has been estimated the DUA Bill will ‘unlock the power of data’ to improve public services by relieving administrative burden and bureaucracy, freeing up to 140,000 hours of NHS staff time and unlocking 1.5 million hours annually for police officers by not having to conduct manual logs – all framed as giving staff more time to conduct their day jobs and saving the taxpayer money.

The government asserts that the Bill will make people’s lives easier by providing the option of digital identities to make existing and future tools more secure, whilst confirming there are no plans to roll out national digital ID cards.

Among the DUA Bill's provisions, those related to the standardisation of health and social care information technology stand out for their potential to significantly impact to the sector’s day-to-day operations.

Several provisions are being reintroduced from the DPDI, albeit with amendments, including smart data, a digital ID trust framework, the use of personal data for research purposes, a ‘legitimate interest list’ for data processing such as national security, emergency response and safeguarding, an AI decision-making approach for low-risk scenarios, international data transfers and new health and social care information standards.

This Bill will mean significant change for clients that will not only be required to comply with new information standards to enable extensive data sharing, but will also have to heed the new data protection reforms proposed in the Bill.

Data protection reforms

The Bill is set to make targeted reform to the UK’s data protection and privacy framework, including the Data Protection Act 2018 (DPA 2018), UK GDPR and the Electronic Communications Regulations 2003, with proposed changes to Part 3 and Part 4 of the DPA 2018.

This includes further detail on the extent of recognised legitimate interests, clarifies when further processing of data is compatible with the original purpose for which it is obtained, expands the types of cookies not requiring consent and removes the manual logging justification requirements for the police when accessing personal data.

We foresee that proposed reforms of particular interest to our health and social care clients will be changes permitting data controllers to obtain broad consent for scientific research, even if this has not specifically been identified at the time of collection. This removes barriers for public bodies such as the NHS to use data for research purposes without having to obtain explicit consent.

The new Bill retains the DPDI Bill proposal to widen and permit AI decision-making for low-risk scenarios on personal data. It maintains existing specific protections for special category data and enables people to still challenge decisions by requesting a human review. Public bodies navigating ‘low risk’ AI decision-making will need to ensure they have a robust decision-making framework in place ahead of any AI implementation to navigate any legal challenge.

The introduction of a new statutory complaints procedure will likely be more burdensome and require a data controller to facilitate the right to complain by providing a form to complete. The data controller will have 30 days to respond.

The Bill also requires organisations to notify the ICO of the number of complaints received in a specified period. Browne Jacobson will be able to provide support and templates to assist clients to meet any new statutory requirements.

What are the concerns with the DUA Bill?

While the Bill promises numerous benefits, it has not been without its critics. Privacy advocates and data protection campaigners have raised concerns about potential overreach and the implications for individual data rights, especially in the context of emerging technologies like AI.

Privacy and data campaigners, such as Big Brother Watch, perceive the DUA Bill as an erosion of privacy protection, restricting control over an individual’s own data, especially against the risks of emerging technology such as artificial intelligence.

We all have a role to play to address and alleviate public concerns and Browne Jacobson can support our clients with robust legal advice to assist in sound public law decision-making and the implementation of new legally compliant processes.

The Bill has only just begun its journey, and unusually has commenced in the House of Lords. It is anticipated the technical expertise of the Lords will expedite the passing of this Bill but it will remain to be seen as to whose interests are best served as it passes into law.

With the second reading yet to be scheduled, we will be watching this with keen interest to foresee how best we can support our clients.

Conclusion

The DUA Bill represents a landmark shift in the legal framework governing data use and protection, with profound implications for the public sector.

As we continue to monitor the Bill's progression and its eventual implementation, its one to keep an eye on to stay ahead of developments, and seize opportunities to enhance service delivery and operational efficiency in the evolving digital landscape.